Cornelius Digital Request Consultation
Home Insights About FAQ Careers Capabilities Free Assessment Request Consultation
Free Resource

CMMC Level 2: Your First 90 Days Action Plan

A week-by-week action plan to get your defense contracting business assessment-ready. Built from real compliance programs, not theory.

Take the Free Assessment →
01
Foundation & Scoping
Weeks 1–4 · The most important phase
Week 1 — Scope Your Environment
Identify all CUI in your environment
Map where Controlled Unclassified Information enters, is processed, stored, and exits your systems. Check email, file shares, cloud storage, and physical documents.
Define your CUI boundary
Identify which systems, networks, and people handle CUI. Consider an enclave approach — isolating CUI systems reduces scope, cost, and complexity dramatically. NIST 3.13.4
Inventory all assets in scope
Document every device, server, application, and cloud service that touches CUI. Include make, model, OS version, and owner. NIST 3.4.1
Identify your current contracts requiring CMMC
Review DFARS clauses in existing contracts. Check for 252.204-7012 (safeguarding CDI) and 252.204-7021 (CMMC certification). Note deadlines.
Week 2 — Gap Analysis
Complete NIST 800-171 self-assessment
Evaluate your organization against all 110 controls. Be honest — inflated scores help no one. Calculate your SPRS score. All 14 families
Document gaps in a Plan of Action & Milestones (POA&M)
For every control not fully implemented, document the gap, planned remediation, responsible person, and target completion date.
Prioritize gaps by risk and effort
Rank gaps by: (1) risk to CUI if unmitigated, (2) effort to remediate, and (3) dependency on other controls. Quick wins first.
Weeks 3–4 — Documentation Foundation
Draft your System Security Plan (SSP)
This is your most important document. Describe your system boundary, architecture, how each of the 110 controls is implemented, and who is responsible. NIST 3.12.4
Create or update security policies
You need documented policies for: access control, media protection, incident response, configuration management, identification & authentication, and system communications protection at minimum. All families
Establish roles and responsibilities
Assign a compliance lead, system administrator, and incident response coordinator. Document who is responsible for each control area.
02
Implementation & Evidence
Weeks 5–8 · Where the real work happens
Weeks 5–6 — Technical Controls
Deploy multi-factor authentication everywhere
MFA on all accounts that access CUI. This includes VPN, email, cloud services, and remote access. No exceptions. NIST 3.5.3
Enable encryption at rest and in transit
FIPS 140-2 validated encryption on all CUI storage (drives, databases, backups) and transmission (TLS 1.2+, VPN tunnels). NIST 3.13.8, 3.13.11
Configure audit logging on all in-scope systems
Log: user login/logoff, failed access attempts, privilege escalation, file access to CUI, and system changes. Centralize logs. Retain 90+ days. NIST 3.3.1, 3.3.2
Implement least-privilege access controls
Review all user accounts. Remove unnecessary access. Separate admin and user accounts. Implement role-based access control (RBAC). NIST 3.1.1, 3.1.2, 3.1.5
Establish configuration baselines
Document approved configurations for all in-scope systems. Use CIS Benchmarks or DISA STIGs as starting points. Track deviations. NIST 3.4.1, 3.4.2
Weeks 7–8 — Training & Evidence Collection
Conduct security awareness training
All employees with CUI access must complete training on: CUI handling, phishing recognition, incident reporting, and acceptable use. Document completion. NIST 3.2.1, 3.2.2
Implement vulnerability scanning
Deploy automated vulnerability scanning on all in-scope systems. Scan at least monthly. Remediate critical/high vulnerabilities within 30 days. NIST 3.11.2, 3.11.3
Create and test incident response plan
Document: detection procedures, roles, communication plan, containment steps, evidence preservation, and reporting requirements (72-hour DoD notification). Run a tabletop exercise. NIST 3.6.1, 3.6.2, 3.6.3
Begin collecting evidence artifacts
For each implemented control, collect proof: screenshots, configuration exports, policy sign-offs, training records, scan reports. The assessor will ask for these.
03
Validation & Assessment Prep
Weeks 9–12 · The home stretch
Weeks 9–10 — Internal Testing
Conduct internal mock assessment
Walk through all 110 controls as if you're the assessor. For each control, can you demonstrate implementation AND show evidence? Document gaps.
Review and finalize SSP
Ensure every control has an accurate implementation description. Verify the system boundary diagram matches reality. Check that all personnel are listed.
Update POA&M with remaining gaps
Any controls not fully implemented need a POA&M entry. Include realistic timelines. Assessors accept legitimate POA&Ms — but not for every control.
Test backup and recovery procedures
Verify backups are encrypted, stored off-site, and actually recoverable. Test a full system restore. Document the results. NIST 3.8.9
Weeks 11–12 — Assessment Preparation
Engage a C3PAO
Contact an accredited C3PAO from The Cyber AB marketplace. Schedule your assessment. Expect 2-4 week lead times minimum. Earlier is better — the queue is forming.
Organize evidence artifacts
Create a structured evidence folder mapped to each NIST control family (14 folders). Label everything clearly. Make it easy for the assessor.
Prepare key personnel for interviews
The assessor will interview your system admin, security lead, and potentially end users. Brief them on: what CUI is, how they handle it, and what to do if they suspect an incident.
Final readiness review
Walk through the complete package one more time: SSP, POA&M, policies, evidence artifacts, network diagrams, personnel list. If everything aligns, you're ready.

The Bottom Line

This checklist covers the foundation. Every contractor's environment is different, and some items will take more time depending on your starting point.

What this checklist doesn't replace: A compliance partner who knows what assessors actually look for. The difference between "we implemented the control" and "we can prove we implemented the control" is where most contractors stumble.

Perfect is the enemy of certified. You don't need a perfect security program. You need one that passes, reduces real risk, and that you can maintain after the assessor leaves.

Get Started

Ready to Get Compliant?

Principal-led CMMC preparation. One consultant, start to finish. Assessment-ready documentation — faster than you think.

Book a Free Discovery Call Take the Free Assessment
mission@corneliusdigitalsolutions.com